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HOW IMPORTANT IS YOUR DATA? 


Years of family photos. Your entire music 
and movie collection. Office documents 
you've put hours of work into. Backups for 
every computer you own. We ask again, how 
important is your data? 


NOW IMAGINE LOSING IT ALL 


Losing one bit - that’s all it takes. One single bit, and 
your file is gone. 





The worst part? You won't know until you ! 
absolutely need that file again. Example of one-bit corruption 





THE SOLUTION 


The Mini boasts these state-of-the- 


The FreeNAS Mini has emerged as the clear choice to 
art features: 


Save your digital life. No other NAS in its class offers 


i ry and ZFS bitr 
ECC (error correcting code) memory and ZFS bitrot sieseor Gotti Mora raecseor 


protection to ensure data always reaches disk . Up to 16TB of storage capacity 
without corruption and never degrades over time. - 16GB of ECC memory (with the option to upgrade 
to 32GB) 


, « 2x 1 Gigabit network controllers 
No other NAS combines the inherent data integrity : Ramotemanauementoore (EN) 


and security of the ZFS filesystem with fast on-disk - Tool-less design; hot swappable drive trays 
encryption. No other NAS provides comparable power ISSN re ictal emanecomngured 

and flexibility. The FreeNAS Mini is, hands-down, the 
best home and small office storage appliance you can 
buy on the market. When it comes to saving your 
important data, there simply is no other solution. 














Intel, the Intel logo, Intel Atom and Intel Atom Inside are trademarks of Intel Corporation in the U.S. and/or other countries. 
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CERTIFIED 
STORAGE 


With over six million downloads, 
FreeNAS is undisputedly the most 
popular storage operating system 
in the world. 


Sure, you could build your own FreeNAS system: 
research every hardware option, order all the 

parts, wait for everything to ship and arrive, vent at 
customer service because it hasn't, and finally build it 
yourself while hoping everything fits - only to install 
the software and discover that the system you spent 
days agonizing over isn’t even compatible. Or... 


MAKE IT EASY ON YOURSELF 


As the sponsors and lead developers of the FreeNAS 
project, ixsystems has combined over 20 years of 
hardware experience with our FreeNAS expertise to 
bring you FreeNAS Certified Storage. We make it 
easy to enjoy all the benefits of FreeNAS without 
the headache of building, setting up, configuring, 
and supporting it yourself. As one of the leaders in 
the storage industry, you know that you're getting the 
best combination of hardware designed for optimal 
performance with FreeNAS. 


Every FreeNAS server we ship is... 


» Custom built and optimized for your use case 

» Installed, configured, tested, and guaranteed to work out 
of the box 

» Supported by the Silicon Valley team that designed and 
built it 

» Backed by a 3 years parts and labor limited warranty 





As one of the leaders in the storage industry, you 
know that you're getting the best combination 

of hardware designed for optimal performance 

with FreeNAS. Contact us today for a FREE Risk 
Elimination Consultation with one of our FreeNAS 
experts. Remember, every purchase directly supports 
the FreeNAS project so we can continue adding 
features and improvements to the software for years 
to come. And really - why would you buy a FreeNAS 
server from anyone else? 








FreeNAS 1U 

- Intel® Xeon® Processor E3-1200v2 Family 

« Up to 16TB of storage capacity 

* 16GB ECC memory (upgradable to 32GB) 

« 2x 10/100/1000 Gigabit Ethernet controllers 
« Redundant power supply 


FreeNAS 2U 
- 2x Intel® Xeon® Processors E5-2600v2 Family 
« Up to 48TB of storage capacity 
¢ 32GB ECC memory (upgradable to 128GB) 
« 4x 1GbE Network interface (Onboard) - 
(Upgradable to 2 x 10 Gigabit Interface) 
« Redundant Power Supply 





| 





inside’ 
XEON 





http://www.iXsystems.com/storage/freenas-certified-storage/ 


Intel, the Intel logo, the Intel Inside logo and Xeon are trademarks of Intel Corporation in the U.S. and/or other countries. 


EDITOR’S WORD 


Dear Readers, 

ou are going to read the “Beyond BIOS” issue from 
BSD magazine. You will learn how to prepare to install 
an EFI environment on an Intel-based, how to perform 
the installation and how to manage the computer 
once it’s up and running. What is more, our experts will teach 
you with moderate experience in any Unix-like system to install 
and deploy a quality office server with common applications 
and services. Finally, you may find interest in the “Debugging 
and Troubleshooting: Fun, Profit and Go Home Earlier” tutorial 
provided by Carlos Antonio Neira Bustos. Carlos is going to 
represent a real life situation where debugging skills will save us 
time, headaches and possibly to find a solution using a minimal 
amount of effort. 





| would like to express my gratitude to our experts who contributed 
to this publication and invite others to cooperate with our magazine. 


The next issue of BSD Magazine will be published in 4 weeks. 
If you are interested in learning more about the future content 
or you would like to get in touch with our team, please feel free 
to send your messages to ewa.d@bsdmazg.org. | will be more 
than pleased to talk and answer all your questions. 


Hope you enjoy the issue. 


Ewa Dudzic 
and BSD team 


BSD 


MAGAZINE 





MAGAZINE 


Editor in Chief: 
Ewa Dudzic 
ewa.dudzic@software.com.pl 


Contributing: 

Michael Shirk, Andrey Vedikhin, Petr Topiarz, 
Charles Rapenne, Anton Borisov, Jeroen van 
Nieuwenhuizen, Jose B. Alds, Luke Marsden, Salih Khan, 
Arkadiusz Majewski, BEng, Toki Winter, Wesley Mouedine 
Assaby, Rob Somerville 


Top Betatesters & Proofreaders: 
Annie Zhang, Denise Ebery, Eric Geissinger, Luca 
Ferrari, Imad Soltani, Olaoluwa Omokanwaye, Radjis 
Mahangoe, Mani Kanth, Ben Milman, Mark VonFange 


Special Thanks: 
Annie Zhang 
Denise Ebery 


Art Director: 
lreneusz Pogroszewski 


DTP: 
lreneusz Pogroszewski 
ireneusz.pogroszewski@software.com.p! 


Senior Consultant/Publisher: 
Pawet Marciniak 
pawe!@software.com.pl 


CEO: 
Ewa Dudzic 
ewa.dudzic@software.com.pl 


Publisher: 
Hakin9 Media SK 
02-676 Warsaw, Poland 
Postepu 17D 
Poland 
worldwide publishing 
editors@bsdmag.org 
www.bsdmag.org 


Hakin9 Media SK is looking for partners from all over the 
world. If you are interested in cooperation with us, please 
contact us via e-mail: editors@bsdmag.org. 


All trademarks presented in the magazine were used 
only for informative purposes. All rights to trademarks 
presented in the magazine are reserved by the 
companies which own them. 


08/2014 











IN BUSINESS 


FreeNAS 
in an Enterprise Environment 


By the time you're reading this, FreeNAS has been downloaded 

more than 5.5 million times. For home users, it’s become an 

indispensable part of their daily lives, akin to the DVR. uk 
Meanwhile, all over the world, thousands of businesses i SYS tems 






universities, and government departments use FreeNAS to \ \ | 
build effective storage solutions in myriad applications / ie 


What you will learn. LA 


« How TrueNAS builds off the strong points of the FreeBSD and | 
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* How TrueNAs meets modern storage challenges for entery 
THE PEOPLE WHO DEVELOP FREENAS, THE WORLD'S MOST 
T he FreeNAS operating systems is fre POPULAR STORAGE OS, HAVE JUST REVAMPED TRUENAS. 


the public and offers thorough doc 
active community, and a feature-rig 
the storage environment. Based on Free 
can share over a host of protocols (SM§ 
FTP, iSCSI, etc) and features an intuiti 
the ZFS file system, a plug-in system 
much more. 
Despite the massive popularity g 
aren't aware of its big brother dut 
data in some of the most demand 
environments: the proven, enterp 
professionally-supported line of 
But what makes TrueNAS diffd 2 . 1 
Well, I'm glad you asked... ve ee 





Commercial Grade Supp 
When a mission critical stor 


organization's whole operat POWER WITHOUT CONTROL MEANS NOTHING. 
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responsiveness and expe 
spree [Vi Simple Management WM Self-Healing Filesystem 
Created by the sa (Vj Hybrid Flash Acceleration ( High Availability 
developed FreeNAS. ) 
Ciralienaeeleiesien (Vie Qualified for VMware and 
CAB aeriticcca arene (ve HyperV 
Up Front (no hidden CAI Works Great With Citrix 
licensing fees) XenServer® 


To learn more, visit: www.iXsystems.com/truenas 
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OS Beyond BIOS, The Extended Firmware 
Interface (EFI) 
José B. Alos 
Jose describes the overall features and principles of EFI, 
including why you might want to use it, how EFI boots 
and what types of boot loaders you might use with it to 
enable non-Windows 8 OSes to boot on an EFI computer. 
The next three parts of this series will describe how to 
prepare to install an EFI environment on an Intel-based 
computer, how to perform the installation and how to 
manage the computer once it’s up and running. 


16 Debugging and Troubleshooting: 

Fun, Brofi and Go Home Earlier 

Carlos Antonio Neira Bustos 
Debugging/Troubleshooting is a really useful skill when 
you are working on maintaining legacy applications 
doing some small incremental changes to an old code 
base, where the code has been touched by so many 
hands over the years that it is really becoming a mess. 
SO, management has decided that the code works as-is 
and you are not allowed to change it all over “the right 
way (tm)”. In this tutorial, Carlos is going to represent a 
real life situation where debugging skills will save us time, 
headaches and possibly to find a solution using a minimal 
amount of effort. 
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=S Deploying an Office Server In FreeBSD, 
With File Sharing and E-mail 
Ivan Voras 
The goal of this tutorial is to teach users with moderate 
experience in any Unix-like system to install and deploy 
a quality office server with common applications and 
services. To ensure this, the tutorials of the workshop will 
cover not only how something is done but also why it’s 
done. And this will also be reflected in the final test. 


34 Return Oriented Programming 
Juanma Menéndez 

Juanma, in this article, presents how easily a hacker can 
exploit a stack overflow in an NX bit protected system 
and the other protections that we must not neglect as 
well such as compiler options and Address Space Layer 
Randomization (ASLR). Only when these protections 
are working together, we must think about a hardened 
programming environment. 
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CYBER 
SECURITY 


A \ a event, 


ExCeL. London for a new era of cyber threats 





www.cybersec-expo.com 





» The most comprehensive analysis anywhere of how to protect 
the modern organisation from cyber threats = : 


» Free to attend seminars delivered by Mikko Hybpanert 
Eugene Kaspersky and many more 


» Attend the “Hack Den” a live open source security lab to 
share ideas with White Hat hackers, security gurus, 
Cyber Security EXPO speakers and fellow professionals 








» Network with industry experts.and meet with Cyber 
Security exhibitors 


» Discover what the IT Security team of the future 
will look like | 





Cyber Security EXPO is the new place for everybody wanting to protect 


their organisation from the increasing commercial threat of cyber Co-located at 

attacks. Cyber Security EXPO has been designed to provide CISOs and IP OEUROPE 
IT security staff the tools, new thinking and policies to meet the 21st 3-9 October 2014 ExCeL London 
century business cyber security challenge. 














www.ipexpo.co.uk 
Cyber Security EXPO delves into business issues beyond traditional 

enterprise security products, providing exclusive content on behaviour 

trends and business continuity. At Cyber Security EXPO, discover how 

to build trust across the enterprise to securely manage disruptive 

technologies such as: Cloud, Mobile, Social, Networks, GRC, Analytics, 

Identity & Access, Data, Encryption and more. 
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Beyond BIOS, 
The Extended Firmware 





Interface (EFI) 


This article describes the overall features and principles of the 
Extended Firmware Interface (EFI), including why you might 
want to use it, how EFI boots and what types of boot loaders 
you might use with it to enable non-Windows 8 OSes to boot on 
an EFl computer. The next three parts of this series will describe 
how to prepare for the installation of an EFl environment on an 
Intel-based computer, how to perform the installation and how 
to manage the computer once it’s up and running. 


a wide range of functionality even before the OS 

starts loading. It is modular (you can add custom 
code or drivers), runs on various platforms and applica- 
tions, its drivers can be written in C instead of assembler 
making them more portable, etc. Besides the native CPU 
code, EFI supports custom byte code, so drivers can be 
compiled so that they are portable between CPU architec- 
tures without the need for recompilation. 


-E Fl is very different from a PC BIOS, as it offers 


Introduction 

Once upon a time, the first IBM PC 5150 was shipped in 
1981 with a new 16-bit processor, made by Intel Corpo- 
ration, and bundled with a firmware known as the Basic 
Input Output System (BIOS). The BIOS was the interface 
between all hardware devices and the Operating System 
(OS). At the beginning, there was no problem with this 
approach, but when hard disk and RAM memory prices 
slowed down, many features supposed a handicap: 


¢ No more than four primary partitions are allowed 
¢ Booting process requires 16-bit real mode 
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¢ Boot process starts by loading 512-bytes of data 
(Master Boot Record, MBR) 

¢ Disks over 2 TB are not supported by BIOS approach 

¢ BIOS is unable to access any disk file system and 
therefore cannot load any executable image file such 
as OS kernels 


The 1386 compatibility architecture was based on keep- 
ing the initial bootstrapping process used since 19871. 
It did not take advantage of protected mode and 32-bit 
register addressing provided by 80386 and later Intel mi- 
croprocessors. It was not modified until 2005 at which 
time the Extensible Firmware Interface (EFI) was devel- 
oped to provide a more versatile and updated boot pro- 
cess based on the ability to load and execute ELF imag- 
es directly from the initialization code. 

In reference to hard disk devices, BIOS-based comput- 
ers could only handle up to 232 sectors using 512-byte 
sectors. This leads to a 2 TB limit on storage capacity. 
Besides, the special partition managed by EFI and termed 
EFI Special Partition (ESP) can use both the FAT-32 file 
system, as encouraged by EFI Standard, and FAT-16. 
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It can even use HFS+ for Mac OSx computers. 
This ESP has the partition code OxEFOO, which allows a 
quick identification. 

As the BIOS cannot access a file system on a disk and 
therefore is unable to load an executable image file such 
as OS kernels, every OS must have its own boot loader 
using the BIOS approach, which constitutes a huge source 
of problems. A way to avoid the use of separate boot load- 
ers for each OS installed, is to use Multi-boot Specification 
(MS) which will be covered in another article. 

Considering the historical background explained above, 
the Extensive Firmware Interface (EFI) has its roots in 
1998 with the /nte/ Boot Initiative (IBI) program. Hence, 
the EFI specification, which has been developed and sup- 
ported by a consortium integrated by Intel and Microsoft, 
among other companies, defines an API and data struc- 
tures to handle generic firmware in a wide variety of plat- 
forms in order to provide OS loaders, EFI device drivers, 
and diagnostics by means of an EFI command interpreter 
or EFI Shell. 

The first EFl specification was EFI 1.02 released in 
2000. Due to legal issues, it was re-released two years 
later under the denomination EFI 1.10 and restricted to 
ltanium microprocessors. In order to avoid undesirable 
scattering, the Unified EFl Forum was created including 
companies such as Intel, AMD, AMI, Apple, Dell, HP, IBM, 
Phoenix and, of course, Microsoft, among others. This ini- 
tiative led to Universal EFI (UEFI) standardization. Lat- 
er on, AMD created its own 64-bit architecture, AMD64, 
which was backward compatible with IA32. The AMD64 
architecture is equivalent to Intels EM64T architecture 
and it was eventually supported in the UEFI 2.0 standard. 
Nowadays, the latter standard is UEFI 2.1 which includes 
a few changes regarding its predecessor. 
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Figure 1. Comparison between BIOS and UEFI approach 





Last but not least, EFl can boot a computer faster than 
BlOS-based booting. On average, the EFI booting process 
is more than 20 seconds faster than using BIOS boot mode. 
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EFI has its drawbacks too, of course. The most impor- 
tant of these is the fact that it’s new. This means that old 
boot loaders don’t work with it and users are unfamiliar 
with it. Another significant problem is that the EFI boot 
process assumes the OS will run in the same bit depth 
as the EFI. Because all UEFl-based PCs and most EFI- 
based Macs use 64-bit firmware, this means that 64-bit 
OSes work best with these computers (the earliest Intel- 
based Macs used 32-bit EFls though). Installing a 32-bit 
version of Linux on a computer with a 64-bit EFI is pos- 
sible, but you'll give up runtime EFI interfaces. This makes 
boot loader maintenance harder, since the efibootmgr util- 
ity (which will be described in part three of this series) re- 
lies on such interfaces. For this reason, | recommend in- 
stalling a 64-bit distribution if your firmware is 64-bit. 


GUID Partition Table (GPT) 
The GUID Partition Table (GPT) is a new standard for disk 
partitioning providing a set of advanced features such as: 


¢ Modern logical block addressing (LBA) 

¢ 64-bit LBA pointers to manage partitions up to 8 ZB 
¢ Support for non-512 byte sector size disks 

¢ Up to 128 partitions per disk 

¢ Inclusion of backup partition table 


Although NetBSD can access GPT disks by using dk- 
wedges, it is not possible to boot off a GPT disk ina 
straightforward manner and the current strategy to boot 
is similar to EFI bootstrapping: 


BIOS at’ LBAO &4t’ PBR on EFI syspart 4t’ /boot at’ NetBSD 


kernel 


Secure Boot and Microsoft Legacy 

One of the most controversial features of EFI is Secure 
Boot. This feature was originally intended to improve se- 
curity by ensuring that only boot loaders signed with a 
crypto key can run. In such a way, malware code cannot 
be executed as it is not signed with this key. However, 
Microsoft requires Secure Boot enabled for Windows 8 
use in desktop and laptop computers and as a practical 
matter, Microsoft's keys are included in the vast majority 
of new computers with UEF/ support. No other company/ 
organization has the power to guarantee that their keys 
are also included. 

The only way to bypass this inconvenience is through 
the use of Microsoft's signing service. Otherwise, the only 
way to avoid any issues with non-Windows OSes is to dis- 
able Secure Boot, which is perfectly possible if you do not 
want to use MS Windows 8. 
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A Tour on EFI Shell 

Before introducing the main topic, it is important to take a 
preliminary approach on UEFI/ usage so that readers can 
see the main differences between the former BIOS and the 
new paradigm for new 64-bit Intel computers. There are 
many possibilities. 









BIOS. 


Hardware 
Figure 2. BIOS and UEFI End-User Interface 


End-User EFI Commands 
Whenever a new Intel-based computer is started, the UEF| 
program starts its execution to get into a shell as follows: 


fs0:\> ver 
EFI Specification Revision : 1.10 
EFI Vendor : INTEL 
EFI Revision : 14.62 
fs0:\> 1s 
fs0:\> devices -b 
fs0:\> dh -b 
fs0:\> cd apps 
fs0:\apps> ls 
fs0:\apps> load tcpipv4.efi 
fs0:\apps> ifconfig -a 
fs0:\apps> ifconfig lo0 inet 127.0.0.1 up 


For MacOS X computer’s owners, the following com- 
mand is useful to examine GPT hard disk. 


fs0:\diskutils> diskpart 


Eventually, if you need some help, issue the following 
command to display commands one screen at a time: 


help -b 
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Programming EFI 

lf you are an experienced programmer, it is possible to de- 
velop and evaluate your own EFI applications even using 
an IA-32 computer. To get the true flavor of EFI, you need 
two different environments: 


Runtime Environment 

To explore EFI on IA-64 or in I[A32 computers by using a 
BIOS32 boot floppy provided by Intel to boot into a real 
EFI environment running x86 with legacy BIOS. 


Development Environment 
To develop EFI programs, such as device drivers, boot 
loaders and so on, consisting of: 


¢ A host operating system. 
¢ GNU CC toolchain 
¢ Intel EFI Application Toolkit 


Intel EFl Application Toolkit is provided by TianoCore proj- 
ect and is available under BSD licenses in www.tianocore. 
org. Alternatively, there is a GNU EFI development port 
but it is not mature enough yet. 
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Figure 3. B/OS vs. UEFI API Program Development 


In order to compare the main differences between BIOS 
and UEFI, be aware that UEFI offers a complete API to 
support low-level firmware development. 


EFI Boot-Loaders 
In comparison with BIOS boot loaders, EFI boot loaders 
are still under heavy development as follows: 


¢ ELILO: one of the most reliable bootloaders for GNU/ 


Linux systems but it requires the kernel to be loaded 
from ESP and does not allow other locations. 
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¢ GRUB-2: supports both BIOS/EFI booting but re- 
quires installing an EFl-capable package such as 
grub-efi. Regarding its predecessor, GRUB Legacy 
does not support the EFI booting process. GRUB-2 is 
sometimes very complex to handle. 

¢ rEFIt: is not capable of booting a kernel directly and 
requires a chainload to make it possible. 


My only experience at the moment with Linux kernels is 
that work is being done to embed EFI boot loader support 
to load the kernel directly without using a third-part EFI 
boot loader. To sum up, have a look at the following table: 


Chain load 






GRUB-2 
Linux kernel i, 


And just to conclude this section, one of our favorite UEFI 
boot loaders, and our recommended choice for Mac OS X 
fans, is rEF/t, which supports graphical output as shown: 


> rEFit 


a? QOoeo 


She, OPS Dekh 


Figure 4. rEF/t UEFI bootloader main screen 


No matter which UEFI boot loader you choose, have 
a Clear understanding about the implications of using it, 


www.bsdmag.org 


The BSD Certification Group Inc. 
(BSDCG) is a non-profit organization 
committed to creating and 
maintaining a global certification 
standard for system administration 
on BSD based operating systems. 





BSDA: Entry-level certification suited for candidates. 
with a general Unix background and at least six months of 
experience with BSD systems. 


BSDP: Advanced certification for senior system administrators 
with at least three years of experience on BSD systems. 
Successful BSDP candidates are able to demonstrate 

strong to expert skills in BSD Unix system administration. 





We're pleased to announce that after 7 months of 
negotiations and the work required to make the exam 
available in a computer based format, that the BSDA 
exam is now available at several hundred testing centers 
around the world. Paper based BSDA exams cost $75 
Computer based BSDA exams cost S150 USD, The price of 
the BSDP exams are yet to be determined. 


Payments are made through our registration website: 
https://register.bsdcertification.org//register/payment 





More information and links to our mailing lists, Linkedin 
groups, and Facebook group are available at our website: 
hitp://www.bsdcertification.org 


Registration for upcoming exam events is available at our 
registration website: 
hitps://register. bsdcertification.org/register/get-a-bsdeg-id 


especially if you have to coexist with Microsoft™ Windows 
OS on your computer. 


NetBSD/EFI in 1386 Architectures 

The NetBSD/386 boot process uses a two-stage boot 
loader where the first stage is installed in a well-known 
physical location (the first sector of the disk MBR) and this 
stage provides the necessary information to start with the 
second stage boot loader placed on the root file system 
and transfer the control to it. Once the second stage boot 
loader has taken control, it swaps the processor into the 
protected mode with a full 32/64-bit addressing and no 
segmented memory as in 16-bit real mode. 


NetBSD and GPT Awareness 

It's possible to boot NetBSD from the GPT partitioned disk 
when using a PC BIOS computer. The approach is quite 
similar to the NetBSD MBR boot loader and is comprised 
of three parts: 


* mbr  gpt/mbr  gpt com0d is an LBAO loader intended 
to be used by a BIOS-based computer, whose main 
aim is to find a bootable GUID partition. 

* bootxx  fatié is a PBR loader which can be execut- 
ed by either MBR loader or BIOS. The mission of this 
function is to load the NetBSD boot(8) kernel program 
and put the loader into an ESP FAT16 partition, which 
can be a source of trouble, due to the recommenda- 
tion of using ESP FAT32-formatted partitions. 

* NetBSD boot(8) kernel loader IS in charge of loading 
and running the NetBSD kernel from either a GUID or 
disklabel partition. 


At the moment of writing this article, an effort is being 
done to get an EFI boot loader for NetBSD systems in 
order to get rid of the former GRUB-based approach. It 
will be available by the end of this year, | hope. Anyway, 
if you are not using MS Windows 8 in your computer, you 
can safely following the instructions to minimize the im- 
pact of new EF l-based computers. 


Installation Procedure of NetBSD 
To build and install the NetBSD loader, you should have 
the following software: 


¢ Current NetBSD kernel sources as distributed in sys- 
src package. 

¢ sbin/gpt and usr.sbin/installboot loader installation tools. 

¢ Ensure you have the latest GPT bootloader patch 
available at htto:/www.netbsd.org/~mishka/gptboot/ 
gptboot.patch 
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The following steps describe what you'd need to build a 
NetBSD loader: 


o_o 


. Download all the sources above 

2. Prepare src tree for patching by making directo- 
ries missing. See the list of the directories inside the 
patchfile: 


S awk ‘/*WARNING:/ {print S(NF)}’ gptboot.patch 


3. Apply the patch 
4. Build GPT loaders and tools at the following directories: 


sys/arch/i386/stand/mbr/mbr_ gpt 
sys/arch/i386/stand/fatboot/fat16 
sys/arch/i386/stand/boot/biosboot 
sbin/gpt 


usr.sbin/installboot 


All of above builds just fine on NetBSD 5.0 (including 
amd64) without cross compilation. The install boot may 
require passing -DSMALLPROG to make [1] to exclude 
extra stuff and simplify the build process. Also, new sys/ 
sys/bootblock.h has to be used in place of /usr/include/ 
sys/bootblock.h. 


Loader Installation 

First of all, you should prepare your disk. The disk should 
be GPT partitioned and have at least two partitions, one 
for NetBSD, and one for boot loader as follows: 


# gpt create sd0 

# gpt add -s 65536 -t efi sd0 
# gpt add -t ffs sd0 

# gpt show 


then issue a set Of dkct1 addwedge commands or reattach 
the disk to configure dk wedges automatically: 


NB: Wedges are not supported on vnd(4) devices 
Next: Format partitions accordingly: 


# newfs msdos -F 16 /dev/dk0 
# newfs /dev/dkl 


Please note that newfs_msdos seems to have a bug and 
can incorrectly determine file system size (check num- 
ber of file sectors reported by newfs_msdos; it must be 
less or equal to partition size). If it appears, please re- 
format file system explicitly specifying correct fs size via 
newfs_msdos -s option. 
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To install the loaders, issue the following commands: 


# .../gpt biosboot -c $NETBSDSRC_DIR/sys/arch/i386/stand/ 
mbr/mbr gpt/mbr gpt sd0 

.../installboot /dev/rdk0 SNETBSDSRC_DIR/sys/arch/i386/ 
stand/fatboot/fatl6/bootxx fat16 

mount -t msdos /dev/dk0 /mnt 

cp SNETBSDSRC_DIR/sys/arch/i386/stand/boot/biosboot/ 
boot /mnt 


+e 


+= =F 


+e 


echo “menu=Boot NetBSD:boot hd0b:netbsd” 
> jmnt7 boot.ctg 


+e 


umount /mnt 


The gpt(8) will automatically find the EFl system partition on 
sd1 and instruct mbr_gpt where to load PBR from. But rest 
loaders should be installed on dk wedges. If you're confused 
about the names, you may use gpt(8) on a wedge, but in this 
case mbr_gpt will load PBR from the specified wedge: 


# .../gpt biosboot -c $NETBSDSRC_DIR/sys/arch/i386/stand/ 
mbr/mbr_ gpt/mbr gpt dk0 


Then, install kernel and base system files through: 


# mount /dev/dkl /mnt 
# cp /netbsd /mnt 


Then, create the usual NetBSD hierarchy: /dev, /etc, / 
sbin, etc... and specify the root partition as it will be enu- 
merated by DKWEDGE_AUTODISCOVER: 


# echo: “/dev/dkl. / ffs rw 11” > /etc/tstab 


# umount /mnt 


Please note the disk names on previous steps. It might 
be somewhat confusing, so here is an explanation: 


¢ gpt biosboot ... sdO0: LBAO means installation in the very 
first sector of the physical disk, so we should specify the 
parent device of our GPT wedges. A dk device can also 
be used. In that case, mbr_gpt will look for a GUID parti- 
tion matching the dk device at the moment of installation. 

¢ install boot /dev/ako : bootxx  fatié should be in- 
stalled onto the EFI System Partition. See gpt add com- 
mands earlier. mount -t msdos /dev/dko ...: the boot(8) 
should be stored on the EFI System Partition as well. 

* eChO menu=Boot NetBSD: boot hdOb:netbsd ...: the 
hdOb means the second partition, which matches dk1 
after boot. Please see the to-do list about that. The 
resting commands refer to dk1 which is the NetBSD 
FFS partition. 
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Now! Reboot and Have fun. :) 


The Easy Way, Using another OS boot-Loader to 
Start the BSDthe OS 

The fastest and safest way to starta BSD OS like NetBSD 
is to use another operating system with full EFI support 
such as GNU/Linux in order to use its own boot loader 
GRUB as our boot loader for a wide variety of non-Micro- 
soft Windows OSes. 


1. Install an EFl-compliant GNU/Linux Distribution for x86- 
64 bits. | strongly recommend GNU Debian 7.5 IA64. 

2. Ensure that GNU Debian has its own ESP. By default, 
this ESP is 200 MB size. 

3. Power on the UEFI-compliant computer by pressing 
down the key “Supr” to stop the default booting process. 

4. Enter and execute the grubx64.efi EFI application us- 
ing the built-in UEFI shell. 

5. Select the desired OS bootloader in the GRUB-2 menu. 


That is all. If you do not want or are not happy with deal- 
ing with complexity, this is the best alternative to take ad- 
vantage of the new UEFI PC architectures and to get rid 
of the BIOS the old-fashioned way. 


Dealing with the SecureBoot Feature 

(SHIM boot Loader) 

In this sense, despite Microsoft’s efforts to make our lives 
more difficult by means of the SecureBoot feature, thanks 
to the work of ... a functional version of an EFI boot load- 
er named SHIM which Is available for download at http:/ 
www.codon.org.uk/~mjg59/shim-signed/. The procedure 
to use it cannot be simpler than the following steps: 


« Rename “shim.efi’ to “bootx64.efi’. 
¢ Put this file into ‘/boot/EFI directory’. 


Now, generate a certificate and put the public half as a bi- 
nary DER file somewhere on your install media. On boot, 
the end-user will be prompted with a 10-second count- 
down and a menu. Choose “Enroll key from disk” and 
then browse the file system to select the key and follow 
the enrolment prompts. Any boot loader signed with that 
key will then be trusted by shim, so you probably want to 
make sure that your grubx64.efi image is signed with it. 

This design has been borrowed from Suse’s boot load- 
er developers and requires that the boot loader itself has 
its own key database, distinct from the one provided by 
UEFI specification. In such a way, as the boot loader is in 
charge of its own key enrolment, the boot loader has the 
freedom to manage its own policy. 
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Testing UEFI 

In order to avoid any damage to a real computer, we 
strongly recommend you use a virtualized environment to 
test any UEFI! features before moving on to the real com- 
puter as follows: 


qemu-system-x86 64 -serial stdio -bios OVMF.fd -hda 
fat:<path to boot directory> 

qemu-system-x86 64 -serial stdio -bios OVMF.fd -cdrom 
<path to ISO image> 


Also, FreeBSD developers have documented the way 
of creating UEFI media for testing purposes. To wrap 
up, let us describe the way of creating a USB HD and 
CD-ROM UEFI capable media: 


CD-ROM with UEFI support media generation 


gpart create -s gpt da0 

gpart add -t efi -s 800K da0 

gpart add -t freebsd-ufs da0 

dd if=/boot/bootl.efifat of=/dev/da0pl 
newfs /dev/da0p2 


Then, perform the install to the UFS partition, as usual: 


mount /dev/da0p2 /mnt 
make DESTDIR=/mnt installkernel installworld distribution 
echo “/dev/da0p2 / ufs rw 11” >> /mnt/etc/fstab 


umount /mnt 
USB HD with UEFI support media generation 


dd if=/dev/zero of=efiboot.img bs=4k count=100 
mdconfig -a -t vnode -f efiboot.img 

newfs msdos -F 12 -m 0xf8 /dev/md0 

mount -t msdosfs /dev/md0 /mnt 

mkdir -p /mnt/efi/boot 

cp loader.efi /mnt/efi/boot/bootx64. efi 

umount /mnt 


mdconfig -d -u 0 


ViVi VM VM MV NM MON 


makefs -t cd9660 -o bootimage='1386;efiboot.img’ -o 
no-emul-boot -o rockridge -o label="UEFItest” -o 


publisher="test” uefi-test.iso image 


Remember 
The boot directory must contain the EFI executables required. 


Conclusions and Remarks 


lf you are wondering why the BIOS approach was kept for 
decades, a justification for such longevity may be found 
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in the fact that MS-DOS for PC was built on top of the BI- 
OS and MS-DOS programs called BIOS routines through 
software interrupts. Hence, the BIOS disk I/O routine cor- 
responds to INT 13h. In order to preserve compatibility, 
this approach survived an unexpectedly long time, despite 
its technical weaknesses and limitations. 

What's more, EFI was originally designed for Itanium 64- 
bit processors although nowadays, IA-32 may support EFI- 
based firmware and there are some companies shelling IA- 
32 computers with full EFl support, such as Inside Software. 

Furthermore, the BIOS depends on VGA which is a lega- 
cy standard and does not allow defining new boot devices 
unless they’ve already been included in BIOS routines. The 
current approach for graphics support is UGA, which is pro- 
vided by EFI too. In such a way, the UEFI approach consti- 
tutes a true extensible firmware management system. 
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Debugging and 
Troubleshooting: 









Fun, Profit and Go 
Home Earlier 


Debugging/Troubleshooting is a really useful skill when 

you are working on maintaining legacy applications doing 
some small incremental changes to an old code base, where 
the code has been touched by so many hands over the 
years and it is really becoming a mess. So, management has 
decided that the code works as-is and you are not allowed 
to change it all over “the right way (tm)”. 


where debugging skills will save us time, headaches 
and to possibly find a solution using a minimal amount 
of effort. 

First, we are going to debug an old legacy C applica- 
tion that takes plain text files and inserts them into a da- 
tabase until some new change made some dormant “fea- 
ture” available for the users (data is getting truncated and 
users are complaining, this needs to be fixed ASAP before 
close of business). For this situation we are going to use 
the classic “gdb” debugger. 

Second, we are going to debug a Java application that 
is having performance issues (takes 4 times as the old C 
application) and it is the new way of doing things instead 
of the old C application that gets the data into the data- 
base; also unfortunately, believe it or not, it has the same 
issue as their old C counterpart. 

We will use heap dumps, jdb (http://docs.oracle.com/ 
Javase///docs/technotes/tools/windows/jdb.html) and gdb 
for this. 
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In the third scenario, we will go back to the first one but 
we will take a different approach. We will debug without 
having the source code and only relay in the disassem- 
bled code we could see through gab. 

For the Fourth scenario, we will only have a heap dump 
and we will need to go all the way to find the issue lurking 
in the java code. 

Finally, we will approach both situations using Dtrace 
which is available in FreeBSD, OSX, Solaris and OpenSo- 
laris and we will check if this tool is beneficial and a time 
saver in the process. 


First Scenario 

For debugging, we will use GDB, if you don’t have the 
ports collection installed then you should do so (we need 
postgresq! for this tutorial so you should use ports if you 
want an up to date version of postgresql), using the follow- 
ing instructions as root: 


# portsnap fetch 
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When running Portsnap for the first time, extract the 
snapshot into /usr/ports as follows: 


# portsnap extract 


After the first use of Portsnap has been completed 
as shown above, /usr/ports Can be updated as needed 
by running: 


#portsnap fetch 
# portsnap update 


When using fetch, the extract or the update operation 
may be run consecutively, like so: 


# portsnap fetch update 
We will need the following packages for this tutorial: 


¢ postgresaql-client 
¢ postgresql-server 


You could install version 8.4.21 using pkg (http://www. 
freebsd.org/cgi/man.cgi?query=pkg&sektion=/) as root 
using the following commands: 


pkg install postgresgl84-client-8.4.21 
pkg install postgresql84-server-8.4.21 1 


For detailed instructions on installing and configuring 
postgresql, you should read one of the guides from the 
official site: https://wiki.postgresql.org/wiki/Detailed_in- 
Stallation_guides#FreeBSD. 

Also we will use some test data from htto:/www.briandun- 
ning.com/sample-data/ to execute the examples in this tuto- 
rial. We will need to download the US 500 sample (this one is 


! (Tbe Ce Pay workshop Date ; 
- paar ea eel oti eed ioe 0 a 
vt Da RN i a Db 
te ee ee 


Figure 2. Trying to update clients using the us.csv file 
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free). you should rename this file to us.csv for the purposes 
of this tutorial. 

Once you have postgresq| installed, you need to create the 
us table using the us.sql (All the files needed for this tutorial 
are in the workshop.tar.gz included). 


The Incident (a.k.a Production Down) 
You have received an email stating that the current pro- 
cess for adding new clients has stopped working and no- 
body knows why, all that management knows is that the 
file must be loaded to the database before business clos- 
es or they will have to give upper management a serious 
explanation about what happened and how they will pre- 
vent this from happening in the future. So, to avoid all this 
stress you have been selected to fix this problem right 
away, and before anyone knows what is actually happen- 
ing (which means you need to work all night as needed). 
So let’s get to it as quickly as possible as we don’t want 
to spend our nap time debugging an old application that 
we really don't want to touch as there is no documentation 
nor the original programmers are available. As far as you 
know, this program was a product of a joint venture be- 
tween contractors of different nationalities. Also the code 
and comments are in Spanish. 

Let's start running the program. It takes as a parameter 
a file name where the client data is: see Figure 2. 

All seems fine, the program does what it is supposed 
to do, false alarm again just 30 minutes to go home. Just 
to be sure, I'll check the table to see if all the data is in 





Figure 3. Checking if clients present in the us.csv file are in the 
database 
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there; after all, that is the issue that has been reported 
(see Figure 3). 

Tough luck, there is really an issue in here. I'll fetch the 
source code and fire up gdb. | have better things to do 
than debug old code all night and according to manage- 
ment, this one must be fixed before the next run as the 
users are inserting the data manually. 

The source code fortunately was still on the backups, 
so | created a minimal “makefile” for this. | just needed 
this one to compile and let the compiler put all the de- 
bugging symbols needed in the object file for an “easy” 
debug session. 





Figure 4. Simple makefile to start debugging 


The “-ggdb” flag is an old gcc flag that does the follow- 
ing according to the official manual (https:/gcc.gnu.org/ 
onlinedocs/gcc-4. 7.4/gccint/All-Debuggers.html): 
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lf we are using clang, this does not matter as you can 
use the -g flag “Generate complete debug info”. Let’s com- 
pile this thing and see what is happening: see Figure 5. 

Well, at least tt compiles, it could be worse at this time. 
Now, the debug symbols are in there so let's try setting 
some breakpoints to catch the problem at hand, looking at 
the source code the first obvious breakpoint must be set in 
the insert function call: see Figure 6. 

Il start a debugging session. I'll pass as parameter the 
us.csv file to the program as follows: see Figure 7. To start 
a debugging session, just type the following command: 


gdb <program name> 


This will take us to a (gdb) prompt where we could use all 
the commands available in the GDB debugger. If we were 
to debug a running program, we should type: 

(gdb) attach <pid of running program> 

And it will take us to the same prompt again, but no- 
tice that in this case it will cause the world to stop for 
the running program until we let it complete in our debug 


session. Also if we had a core dump, we could check 
the stack trace, but in this case we have no coredump 
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Figure 7. Running gdb using us.csv as parameter to the update _ clients program 
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to take a look. Now first, I'll set a breakpoint using the 
break command and | could type just “b” as a short form, 
if we need some help with a command, we just type 
the usual: 

(gdb) help <command> 


For example type “help break” and this screen will be 
presented to us: 
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Figure 8. Running gdb help command 


Now, | have my breakpoint ready at the insert function. 
ll run the program and check what will be happening at 
runtime. | run the program by typing: 
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Figure 10. Running gdb using the win command 
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(gdb) fr -~«./Gata/us<Csv 

Where “r” is the abbreviated form of run. You could pass 
the parameters to the program next to the command. 
In this case this program only takes one that is the file 
containing client data (../data/us.csv): see Figure 9. 

As I'm lucky to have the source code, | can use the win 
command, that will display the source code and the exact 
line the execution has stopped at as follows: see Figure 10. 

Then, we need to check the value of the input param- 
eter data to the insert function, so | just type: 


(gdb) display Data 


This command will print at every time, we hit a break- 
point the value of the Data variable, as long as the 
breakpoint is within the scope of this variable as follows: 
see Figure 11. 

All seems OK with the data and the functions that make 
up the sql statement. So, we need to check where the SQL 
statement is executed. Hence, we will put a break at the 
query(char*) function, looking at the documentation for 
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Figure 12. Running gdb stopping at a breakpoint 
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the libpq library (htto:/www.postgresgl.org/docs/9. 1/static/ 
libpq-exec.html). It seems not enough to check for NULL. 
To really know what the database tells us about the result of 
each transaction, we will use the following functions: 


PQresultErrorMessage 

Returns the error message associated with the que- 
ry, or an empty string if there was no error. const char 
*PQresultErrorMessage(PGresult *res); 


PQresultStatus 
Returns the result status of the query. PQresult- Status 


can return one of the following values: 


PGRES EMPTY QUERY, 
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Figure 16. Running gdb SQL error 
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PGRES COMMAND OK, 
no data */ 


PGRES TUPLES OK, 


/* the query was a command returning 


/* the query successfully returned 
tuples */ 

PGRES COPY OUT, 

PGRES COPY IN, 

PGRES BAD RESPONSE, /* an unexpected response was 
received */ 

PGRES NONFATAL ERROR, 

PGRES FATAL ERROR 


Let’s run it again, the result will be as follows: see Figure 
14. Where did that come from?, looks like somebody im- 
plemented a function that tries to insert a hash but never 
worked. By looking at the file, when it was created they 
never took out the header from the csv file as shown: 
see Figure 15. 

Let's remove that in the file, and try again. Now, we 
have another problem according to the table of data types 
shown as follows: see Figure 16. 

It makes no sense that “LA” is being considered as if it 
were a zip code (see Figure 17). 

Then, I'll set a breakpoint in the extract_field function 
when it tries to extract the value for the 7" field. | don’t want 
to wait for all fields to be processed as just set a condition 
in the breakpoint as follows (see Figure 18): 
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Figure 20. extract_field back trace 


(gdb) b if nfield == 

I'll just type c (Short form of continue) to resume the program 
execution, I'll go over every instruction from the program and 
check the values for the local variables. In this case | have 
stopped at the extract_field function as I’m checking why the 
“LA” value is being considered as a Zip code (integer, see 
Figure 19). And to display the variable value |’m interested in 
during this debug session, just by typing: 


display <variable> will do, 
(gdb) field 
(gdb) 


for example in this case: 
display 
display nfield 


These variables that live within the scope of the extract_ 
field function. If | don’t want to display one of the values 
anymore | just have to type: undisplay <variable>. 

This is an interesting extraction of the field at position 7 
and the value is “Orleans”, but according to the data, the 
value should be “LA”. So, what is the problem? it seems 
that the extract_field has a bug, this thing is off by a field. 
"Il check the backtrace to remember how | got to this 
point. Typing “bt” shows me the backtrace. 

A backtrace is a summary of how your program got 
where it is. It shows one line per frame, for many frames, 
Starting with the currently executing frame (frame zero), 
followed by its caller (frame one), and on up the stack (see 
Figure 20). 
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Figure 21. Detecting the error 
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oe 


There it is, the whole string being tokenize by 
the extract field function is “James,Butt....”, as we 
see in frame O, the interesting part is the argu- 
ment separator = “,” and the third field of the string: 
\Y’Benton, John B Jr\”. 

The bug there is a semicolon in the third field causing the 
“LA” value to be considered as a zip code. 

Let’s fix the code at runtime. I'll set a breakpoint at line 
242 and replace the string \’Benton, John B Jr\” with 
\’Benton John B Jr’\ and see how it goes (Figure 21). 

And to set a breakpoint at a specific line of code, use the 
following commands: 


as in (gdb) b <source.c>:<line number> 


(gdb) Db update: Clisntes.c:247. 


Now let’s run this again: see Figure 22. 
ee il a 

ee ee a oe P| i a 

re eed a Tec 1 ets .c 


ihe Ce i 
= == ee ee ea Ee ee ie 
reakeoing fo at Oudtrebe: file ing 247. 
Tee oe a 
% I S 

Ta ae 


ee ee ee 


it Prom che beginning 
ee! ee 
PrP r wot Goer. Ge, 
Ye Le ee eo ee ee Paes ae 
Care tt froe he beainniner fy ar val 9 


Figure 22. Running again after correcting the error 
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Figure 23. Displaying the breakpoints info 
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| had some breakpoints set, so I'll delete them by typing Now, I'll replace the actual string value with the one 

d and the breakpoint number, to know which breakpoints | want using the following command: 
we need to type as follows: 

(gdb) set <variable> <value> 
(gdb) i b 

| have changed the value, but still it is failing. That is be- 
That is the short form of breakpoints information: see cause | picked the wrong breakpoint to change the data. 
Figure 23. We should have set a breakpoint at line 121 where the 
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Figure 25. Re-setting the breakpoint 


string is being passed as a parameter to the function that 
calls this subroutine. Let’s fix this and go home! 

It worked for the record, we have modified (no SQL error 
at insert), but here comes another register with the same 
issue as the one we have corrected. At least, we know the 
fix we applied at the runtime made it work. So now, it is 
just a matter of modifying the data and reprocessing the 
data at this point. 


not allowed to modify the source code to make the neces- 
sary changes for this to work out? What if we don’t have 
the source code to debug? 

For that situation, we could use some library interposers 
and add a wrapper around the function that is causing us 
trouble. We could also use gdb to debug even if we don’t 
have the source code available. 
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All these topics will be in another tutorial continuing this 
tutorial series. 


Conclusions 

The GNU debugger (gdb) is a really powerful tool that gives 
you an edge advantage when troubleshooting an applica- 
tion. As a developer, you should be proficient using it and it 
will serve you well. 


CARLOS ANTONIO NEIRA BUSTOS 

Carlos Neira has worked several years as a C/C++ developer and kernel 
porting and debugging enterprise legacy applications. He is currently 
employed as a C developer under Z/OS, debugging and troubleshoot- 
ing legacy applications for a global financial company. Also he is en- 
gaged in independent research on affective computing. In his free time 
he contributes to the PC-BSD project and enjoys metal detecting. 
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With File Sharing and 





FreeBSD is a modern and capable operating system (OS) 
which can be both robust and easily manageable if used in 
an office or a workgroup server environment. It supports 
the whole range of cutting edge Open-Source technologies, 
which makes using it a completely pleasant and well- 
featured experience. The latest FreeBSD release, 10.0, 
delivers a bunch of improvements which increase both the 
performance and usability of this fine operating system. 


e have prepared a workshop which aims to 
VAY ee users with minimal knowledge of Free- 

BSD in a step by step guide how to install and 
configure a usable office server from scratch. This server 
will be intended to provide office workers or collaborators 
with a modern central point used to share data, which they 
can trust and rely on in their daily work. 

Its main features will be document sharing, collabora- 
tion and E-mail. The various tasks of the server will be 
handled by different standard Open-Source tools as we 
will use Samba and the built-in FreeBSD Network File 
System (NFS) servers for serving files in the local net- 
work, ownCloud for sharing files across the public Inter- 
net, Apache and PHP for serving web applications, Post- 
fix for the SMTP server and finally Dovecot for the E-mail 
server. We will also add a webmail interface to our server 
using RoundCube and we will finally protect our server by 
using tools such as ipfw and sshit. 


28 BSD 


First Step: Installing FreeBSD 

Starting with the previous major release of FreeBSD 
(9.0), the Operating System can be installed with a new 
installer which supports more of its new technologies 
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Figure 1. The new FreeBSD installer allows the use of current 
technologies while being user-friendly enough for new users 
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than its predecessor. At the same time, it offers more 
manual configuration options for expert users. 

Since the tutorial is about deploying a server, the hard- 
ware configuration on which the system will be installed is 
assumed to contain two Hard Drives (HD), which will be 
mirrored in software using FreeBSD’s GEOM_MIRROR 
facility. The usage of two drives for the server is a com- 
mon compromise between reliability and cost, and the 
same can be said about using Software RAID instead of 
a Hardware RAID controller. For a small office server, ge- 
neric desktop drives of suitable capacity (e.g. 1.5 TB or 
2 TB) are a fine choice, but “enterprise-class” drives are 
not that expensive and can be worth searching, if only be- 
cause they usually have more mature firmware and dis- 
abled on-drive write caching. 





Figure 2. The production system will run from a software RAID1 
volume powered by GEOM_MIRROR 


This initial step of the process is the only one which re- 
quires a small detour in the default installation process, 
in which the required kernel module for GEOM_ MIRROR 
will be loaded and the RAID volume is created. The rest of 
the installation process is smart enough to recognize such 
manually created devices and can use them to create parti- 
tions and file systems. 

Our setup will use the default FreeBSD file system, 
which in the most recent version, is a variant of the UFS2 
file system with soft-updates-journaling enabled. For 
those who are experienced with Linux, the characteristics 
of this file system (very) loosely correspond to ext4 with 
the data=writeback option enabled. An alternative file sys- 
tem for FreeBSD could be ZFS, which is one of the op- 
tions presented in the installer but marked as experimen- 
tal, and for this, it will be covered briefly. 


The New Package Manager 

The traditional way of installing software on FreeBSD 
(and many other Unix-like operating systems) is by com- 
piling a code. The BSD systems have evolved infrastruc- 


www.bsdmag.org 


ture (the ports collections) which makes this much easier 
and offers somewhat advanced features such as depen- 
dency tracking, but practical daily use of ports still re- 
quires expert knowledge that is not required by the more 
streamlined Linux systems. Though the ports can be 
used (and regularly are used) to build binary packages, 
these packages were until recently both much less flex- 
ible and rarely built, which made them an inferior choice 
compared to ports. 

Finally, the recent version of FreeBSD (V10.0) brings 
in a modern binary package manager called “pkg”, with a 
new infrastructure and a new approach to binary packag- 
es. They are no longer second-class citizens of the Free- 
BSD user land but a fully supported and maintained way 
of maintaining software, for the most part that is removed 
from the quirks of using ports. The package manager is 
steadily improving and can now deal with most of the situ- 
ations which arise in daily use (Such as dependency is- 
sues), and the default package repository for FreeBSD 
contains almost all software available in ports. Being pre- 
built with default options, the binary packages are still less 
flexible than ports, but the strategies to reduce the differ- 
ence in flexibilities are actively under development. 

Though the new package manager is called “pkg” (also 
called “pkg-ng” but that name is now obsolete), it does not 
share code with other software with the same name, and 
most notably that from Solaris. Unusually for a BSD, the 
package manager is itself NOT a part of the base system, 
but is installed seamlessly on first use. 


fares |. dom, 


ke a, 


Eelraclieg Siete iil ie Fide, is 


Gsaerell Pregrees 





Figure 3. As the BSD systems are traditionally divided into the "base" 
system and the third party applications, the installer only needs to 
install the "base" and "kernel" files 


Local File Sharing with Samba 

Samba is the famous Open-source project which brings 
compatibility with Microsoft's file sharing technologies to 
non-Windows operating systems. It is an important proj- 
ect which receives regular updates and is maintained to 
be compatible with the latest Windows variants. The lat- 
est version of Samba can act as Active Directory Domain 
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Controllers, which expands their capabilities and opens up 
new use cases. Samba under FreeBSD works mostly out 
of the box, but requires some moderate tuning to be as 
high-performing as the users expect it to be. 


Local File Sharing with NFS 

The Network File System (NFS) is the preferred local file 
sharing protocol between Unix-like systems, mostly due 
to its ubiquitous presence in such system and the relative 
simplicity of its operations. Consequently, it is worth using 
only between such systems, as it’s usually poorly suitable 
for truly heterogeneous environments. FreeBSD’s native 
NFS server and client are well supported and fairly high- 
performing, and require minimal configuration and no third 
party software to get running. 


Apache and PHP For Web Applications 

The combination of the Apache web server and the PHP 
programming language is the most common web appli- 
cation infrastructure on the Internet. The large volume of 
applications written in PHP and the relative simplicity of 
their setup / installation make it attractive for the office 
server. Indeed, all other web applications which will be 
covered by this tutorial are written for PHP and will be 
powered by this very setup. A very important aspect of 
running a web server today is SSL/ TLS, a protocol which 
provides end-to-end encryption used in HTTPS. The part 
of the workshop dealing with Apache will also cover creat- 
ing and submitting an SSL certificate request, as well as 
Its installation. 


File Sharing and Collaboration over The 
Internet With ownCloud 

While Samba and NFS are perfectly suitable for sharing files 
in the local network (e.g. within an office or in a company), 
they were not created for sharing files over the wider Inter- 
net. They lack the flexibility and security properties needed 
in the global environment with unknown users and unreliable 
connectivity. The recently prominent Open-source project 
“ownCloud” will be used in our configuration to provide file 
sharing and collaboration across the Internet. It is a pow- 
erful tool which consists of several applications, and file 
sharing is just one of the options that it supports. Among 
its basic features, it supports shared contacts and calen- 
dar, and a Dropbox-like desktop file synchronization util- 
ity, but it also supports adding third-party applications and 
extensions which greatly increase its usability. 


E-mail Servers With Postfix and Dovecot 


The E-mail system used today relies on two types of pro- 
tocols: for routing E-mail to and between E-mail servers, 
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and for retrieving E-mail from those servers. The proto- 
col of the first type is the Simple Mail Transfer Protocol 
(SMTP), implemented (among other products) by Post- 
fix. There are several protocols of the second type, but 
the most feature-rich and the most popular today is IMAP, 
implemented (also, among other products), by Dovecot. 


Co | a |] 


Figure 4, OwnCloud is a web application with several parts, among 
which are a Dropbox-like file synchronization service and a shared 
calendar 


An important part of running an e-mail server is spam 
protection. This is a topic which can get very complex very 
quickly, but the workshop will guide through basic anti- 
spam measures which include acceptance rules for the 
SMTP server and the SpamAssassin software for active 
e-mail scanning. 


WebMail with RoundCube 

E-mail is traditionally accessed by desktop software (e.g. 
Thunderbird, Windows Live Mail, eM Client or Zimbra 
Desktop) but using a web-based application is becoming 
increasingly convenient because it doesn't require addi- 
tional software installation and the web can be accessed 
through corporate and hotel firewalls. 








a 


Figure 5. RoundCube is a web GUI for IMAP file servers with a familiar 
and simple interface and powerful options and plugins 
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RoundCube is a web application written in PHP which 
can act as an IMAP client and present all the E-mail avail- 
able on the server in a modern and pretty web-based user 
interface. RoundCube is a web application written in PHP 
which can act as an IMAP client and present all the e-mail 
available on the server in a modern and pretty web-based 
user interface. 


Protecting The Server With ipfw and sshit 

As the server in this tutorial contains services intended to 
be used over the Internet, appropriate effort needs to be 
undertaken to ensure both the server and its services are 
resilient to common attacks which are a matter-of-course 
on the open Internet. 

FreeBSD’s default firewall is ipfw, with an easy and 
straightforward syntax and optional stateful packet in- 
spection. A good (and always welcome) addition to it is the 
sshit package which blocks brute-force attacks over ssh. 


Final Thoughts 

The goal of this tutorial is to teach users with moderate 
experience in any Unix-like system to install and deploy a 
quality office server with common applications and servic- 
es. To ensure this, the tutorials of the workshop will cover 
not only how something is done but also why it’s done. 
And this will also be reflected in the final test. 


IVAN VORAS 

lvan Voras is a FreeBSD developer and a long-time user, starting with 
FreeBSD 4.3 and throughout all its versions’ history. On the practi- 
cal side, he is a researcher, system administrator and a developer, as 
the opportunity presents itself, with a wide range of experience from 
hardware hacking to cloud computing. He is currently employed at 
the University of Zagreb, Faculty of Electrical Engineering and Com- 
puting and currently lives in Zagreb, Croatia. You can reach him 
through: English Blog: http://ivoras.net/blog | Croatian Blog: http:// 
hrblog.ivoras.net/| Google+: https://plus.google.com/. 
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Return Oriented 
Programming 





Since 1988, the Morris Worm stack overflow has been a 
nightmare for developers. Several countermeasures have 
been created to avoid this kind of attack. Compilers are 
pioneers in developing such techniques. 


compilers’ options as they usually compile pro- 

grams with inherited procedures. For instance, the 
very well known GCC compiler has a stack protection with 
the fstack-protector option [1]. 

In the middle of the past decade, manufacturers intro- 
duced the No-execute (NX) bit which prevents the execu- 
tion of code beyond the text area of a program. When this 
bit is ON, the processor sends a signal to the Operating 
System (OS). In addition, it is also necessary for the Op- 
erating System to be instructed to stop the code execu- 
tion. In Windows, this is achieved by activating the Data 
Execution Prevention. 

Readers must be aware that the NX bit does not pre- 
vent stack overflow and only prevents the execution of 
injected code. So, if you are able to exploit such a vul- 
nerability, you are completely free to write anything you 
like in the stack. However, a clever hacker may think.... 
“Of course, | can’t execute code but | can alter the nor- 
mal flow of execution, making the program go to another 
address by means of overwriting the return address lo- 
cated in the stack’. 

As a concept of proof, we will work with this simple pro- 
gram: 


S adly, few programmers know very much about 


#include <ctype.h> 

#include <stdio.h> 

#include <string.h> 

int ‘tabla |S) = 19l, 82, 93, 947 35 ]4 
{ 

FTE, Sede 
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int inl,in2? 
int. arr[20]; 


Char var[20|% 


1f (arge !=2) { 
printf (mensaje0, *argv) ; 
recur -L; 
} 
fd = fopen(argv[1],"r"); 
if(fd == NULL) 
{ 
fprintf (stderr,mensajel); 
Prelurn =23 
} 
memset (var, /7,Sizeof (var) ); 
memset (arr, 6,20*sizeof (int) ); 
while (fgets (var,20,fd) ) 
{ 
inl = atoll(var); 
fgets (var, 20,ifd) 3 
in2 = atoll(var); 
/* fill array */ 
arr[inl]=in2; 
//printf£ (“Sd - Sd\n”, arr[inl], tabla[inl]); 
if (arr[inl] != tabla[inl]) 
{ 
printf (“Sorry values are no correct!\n”); 
FeLULiy 7 
} 
printf (“Correct”. The process follows\n”) ; 


printf (“Your are in the core of the program\n”); 
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return; 
} 
} 


Code Logic 

The program reads a file with 2 lines; each line contains 
a number (in1 & in2), in1 is used as the index. If the val- 
ue contained in the cell table[in1] is equal to in2, then the 


BE4S1705\). BB4d24 7B (MO EAR, OWORD PTR CESP+re] 
BG4917T09 ). SB84s5 Beaded NOW EAR, OWORD PTR CEAX#4+464660) 
MEAS TEB),. Soe CHF EO, EAX 
Enna |. 74 GE JE SHORT rop20, 984817F2 
BE4Gi17E4 |. | CP@4d24d 665041 MO] DWORD PTR CESP) rope. aodeteée ASCII "Data are not oc 
HeES1°EB)) . | EB ERIFRS@Be | CALL <JAP. &esvcrt. puts? puts. 
HE4G17FS)] .~| BB 19 JHP SHORT rop24. 66481208 
BE4917F2\) > SCra424 835e4 MOU OWORD PTR CESP I], rop28. 664658385 ASCII "Data are corre 
BES817F 9). Ee D2lFeeee | CALL «JP. &msucrt.puts-? puts 
MEASlrFFE }. Creded Seeded Ol OWORD PTR CEtP], rop2e. bode@dgce ASCII “In this point 
BG491565|/7. ES SEIFBBGG | CALL <JAP.&esvcert.printt?> print# 
HE4S1SeA),. Fea NOP 
EAS SHB), > C9 LEAWE 
BEAslSecih., Cs RET 
ada SAM on | ane 
Figure 3. 
= ax process is OK and will continue; otherwise, the process 
makin pelea CMESF ¥rom eeee.gpewepsa terminates. In a real environment, the table will be out of 
argc the program, even encrypted or secured with another se- 
eee ra curity measure; but for us, this is not relevant because the 
se es only matter we must deal with is the return address. 
(ne ae Deh, ra 
oor Readers may wonder at these odd initializations: 
renee 
errs memset (var, /7,Ssizeof (var) ); 
ete memset (arr, 6,20*sizeof (int) ); 
(ha Rhee 
apere 
iwatav, They are only just a trick to make these values more vis- 
raruiee ible in the stack area. And this is what happens when 
Secncharetenrih  tecateainaneh parameter values contained in the file are: 2 (in the first 
= ——£ line) and 93 (in the second line): see Figure 1. 
aor cece PSCit “pe And as shown in the next figure, this is what will happen 


CP 1s 





LZRETURH «0 ren20. Meld fron roee, 01 SEo 


Figure 4. | 
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when the parameter file contains incorrect values: 2, 95: 
see Figure 2. 

Now, we start the program under Ollydbg [2] and we 
should make a breakpoint when jumping depending on 
the values in the parameter file. When parameters are set 
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correctly, the following snapshot should appear. Take a 
look: see Figure 3. 

As shown, the program jumps to 0x4017F2 and follows 
the normal execution (in this example, the normal execu- 
tion is only a message). If the data is not correct, a “Data 
are not correct....” message appears. Afterwards, control 
is transferred to address 0x40180C. Now, let’s take a look 
at the stack: see Figure 4. 

Due to special initializations, it’s easy to locate the vari- 
able areas. We focus on address Ox22FF2C; this is a re- 
turn address and we can be 90% sure this return address 
would be used for RET instruction at address 0x40180C. 
We put another breakpoint in this address for it to contin- 
ue execution until this point as shown: see Figure 5. 

Great!!! ESP points to address 0x22FF2C. This is 
our target! 

What should we do next? We must overwrite this ad- 
dress with value 0x4017F2, addressing directly the nor- 
mal part of the program. This entry in the stack is in an 
offset of 6 above our work areas. The program does not 
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Figure 6. 
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check values in parameter so if we changed the first pa- 
rameter to a value of 26, we can overwrite this entry. The 
second value must be 0x4017F2 in decimal: 4200434. 
This image clarifies the settings: see Figure 6. So, we 
must see the message first, which is telling us that the in- 
put is not correct. Afterwards, because we have changed 
the value of the return address, messages will tell us 
your data are correct as follows: We can take advantage 
of a vulnerability without injecting code and the exploit 
works even while the program is running ina system with 
Data Execution Prevention. 


One Step More... 
The explained technique above is only one way for ex- 
ploiting a buffer overflow but there are other ways. 
Another way is called return-to-lipc. With ret2libc, we 
change the return address with the address of a system 
function and its parameters. Usually a calling to system () 
function. The latter technique | had explained is called 
return chaining. We see with an example. 
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Look at the following Figure 8. 
We have identified the following instructions, each one 
is followed by RET instruction: 


* popa 
* pop c 
¢ mov [ecx], eax. 


hehe 
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Figure 8. 


Also, there is a RET leading program at the address: 
Ox684a0f4e. 


area Te 





These instructions extract value on the top of the 
stack. And the following RET extracts value which trans- 
fers control to: 


Oxdeadbeef 


Code at this address is: 





As anterior set of instructions, after extracting value 
from the stack and loading in the ECX register transfers 
control to this code: 
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The final result will be as in the following figure: 
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This set of values is called “gadget”; a patient hacker 
can recollect a large set of instructions’ addresses fol- 
lowed by a ret and make a catalogue. Then, by combining 
the needed values, he can execute instructions as if the 
code was being injected. 

We can see gadgets like notes written by criminals in 
old movies: 
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Conclusion 

In this article, | introduced how easy a hacker can exploit 
a stack overflow in an NX bit protected system and the 
other protections that we must not neglect as well such 
as compiler options and Address Space Layer Random- 
ization (ASLR). Only when these protections are working 
together, we must think about a hardened programming 
environment. 
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Titania's award winning Nipper Studio configuration 
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penetration tests. 
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